[gipsies]

If we look at the paper then these remarks are all discussed:

- Defending against downgrade attack: "A client should remember if a network supports WPA3-SAE. That is, after successfully connecting using SAE [..] the client must never connect to this network using a weaker handshake". The Google Pixel 3 is thankfully already doing this, but others aren't. So perfectly preventable, and something the Wi-Fi Alliance could have included in their WPA3 specification.

- Side-channel leaks: "A backwards-compatible countermeasure is to replace the two vulnerable branches with a constant-time select utility, and use constant time Legendre symbol computation as defined in [73]". The WPA3 standard already contained certain side-channel defenses, but it was still vulnerable. They could've also included these new defenses in the WPA3 standard.

- Denial-of-Service attack: "... our attack is more efficient than a straightforward DoS where an attacker simply jams the channel." We only needed to inject 10 commit frames every second to overload a professional AP..

- Modern crypto standards should be written so the chance of implementation bugs is low. For example, the new hash-to-curve algorithms being standardized include side-channel defenses in the specification itself. See their usage of the CMOV instruction that provides a "Common software implementations of constant-time selects" https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-03

[zamadatix]

"A client should remember" just transfers things to first trust attacks, if you want to do it right you'd have to make sure you add the network to the device as WPA3 only from the get go.

Side channel attacks, sure, the standard could also have just said "don't be vulnerable to side channel attacks when generating secure data" along with everything else you should do to make a secure system.

Does it really matter how efficient the DoS attack is if any consumer gear can do the in efficient future proof version anyways? As far as intelligent attacks go isn't this yet again an implementation detail where the AP should rate limit responses to a particular client based on it's resources?

Sure, Greenfield things should be written the best they reasonably can be but not being the best something could be doesn't equate to insecure. It's a valid complaint about the standard but not an insecurity.

Again the paper had valid interesting findings in real world side channel attacks and some valid complaints that Dragonfly could have been implemented in better way but it's not focused on attacking those instead it's focused on making big noise about how bad running things in WPA2 mode is bad under the title of being about WPA3.

[gipsies]

I again feel that most of these points are all discussed in the paper. Trust-on-first-usage is also used in SSH. Attack uses spoof MAC addresses, hard to rate-limit that. Modern crypto should be designed to reduce chance of implementation flaws. Paper concludes that WPA3 is still better than WPA2. Most attacks are on WPA3's Dragonfly. Etc. The most practical attacks are downgrades to WPA2 though, so the press might focus too much on that..

[yrro]

Hmm, so I can't have several APs sharing the same ESSID with the newer ones supporting WPA3 and the older ones WPA2?